GDPR: How to protect the rights and freedoms of students without stifling teacher innovation

Posted by: John-Arthur Berg, itslearning
Updated Sep 30, 2021

https://itslearning.com/global/news/gdpr-data-protection-officer/

I have always believed that the best teachers are the ones who can continuously reinvent their practices. A tech-savvy teacher is not necessarily a good teacher. A great teacher is one who is innovative and has the ability to combine new technology with sound pedagogical practices that can make a lasting impact on the learning outcomes of their students. This teacher cares for her students and will find ways to elevate their learning.

These teachers are often called trailblazers; early adopters of new practices and technology, laying the foundation for other teachers. Most schools have at least one trailblazer, who will enthusiastically and thoughtfully apply new technologies into their teaching and learning activities. But it can also be a minefield navigating new technologies.

Many of these new technologies come in the form of online services (software as a service, SaaS) that require some transfer of personal data. General Data Protection Regulation (GDPR) makes it hard for school leaders to avoid asking difficult questions about the governance of such services.

Preserve the rights of students without stifling innovation

To process personal data of your students, GDPR will require you to make sure:

• There is a lawful purpose
• There is appropriate technical and organizational security
• The student (and/or their parents) is informed and knows their rights
• You (or anyone else involved in the process) do not use the data for any other purpose
• The student’s data is deleted as soon as the purpose for the processing is no longer valid

It is important for both school administration and teachers (who are often the ones collecting student data) to understand these provisions under GDPR. The school or local authority administering the school could end up paying a hefty fine if personal data is passed on to 3^rd parties without due consideration.

In my capacity as the data protection evangelist at itslearning, I would advise schools to evaluate the software that is being used. Teachers, especially the trailblazers, should understand the implications of adopting software in their classrooms that has not been evaluated and endorsed by the school authorities. Teachers should not be in the position to arbitrarily decide and control the flow of personal data into various services.

Does this mean stifling innovation and cracking down on the use of new technologies in the classroom? No. But perhaps we can, as has been often shown in history, solve a technical problem with a technological solution.

Evaluate and approve any software used in school

First, standardization. Interoperability standards are efficient ways of allowing product ecosystems to develop on top of a standardized infrastructure. Like how your electrical wall socket allows a plethora of devices (‘products’) to be seamlessly brought into your home.

Standards already exist for allowing online tools and services to communicate with learning management systems (LMS) and other platforms. One of the most widely adopted standard is IMS LTI. But LTI has some challenges in terms of GDPR. It allows for teachers to easily pass on personal data to 3^rd party solutions and it currently lacks a simple mechanism for deleting the personal data once the purpose for the processing comes to an end.

Joint code of conduct

Which brings us to another element of standardization: Code of Conduct. GDPR allows for industry norms to be developed (and approved), to develop uniform standards for how to secure software that processes personal data. A joint code of conduct would massively simplify a school owner’s burden of ensuring, and giving evidence of, a 3^rd party providing the appropriate level of security.

A management platform is needed to control the ecosystem of educational apps that school owners allow teachers to bring into their classroom ecosystem. These platforms already exist in many markets, and are referred to as Learning Management Systems such as itslearning. An LMS helps school owners balance control and freedom in a way that gives teachers the option to develop their own practices around individual tools.

Due diligence

The last issue to be tackled is the limited bandwidth schools have for doing their due diligence on online services before approving them for use by teachers. But with the appropriate changes to technology standards (like LTI) and good industry standards, perhaps this work could in some cases be left to the LMS. The learning platform could bring an ecosystem of tools in as sub-processors, and take a joint responsibility together with school owners for GDPR compliance across a wide range of online services.

In my view, GDPR is a very good law. It is good for students, it is good for educational institutions and it is good for the EdTech industry. There is massive potential in using technology and cloud services to improve teaching practices and learning outcomes. One of the keys to unlocking this potential is to earn the trust of teachers, students and parents. In this sense, the increased focus on data protection and privacy from GDPR will be beneficial for everyone in the school environment.

itslearning is one of the first LMS providers to become GDPR compliant.

John-Arthur Berg, itslearning
Originally published March 13, 2018. Updated Sep 30, 2021